samedi 6 décembre 2014

Writing Obfuscated Code in Assembly - Code Mutation

An
Obfuscated Code is a code that has been modified and/or transformed in order to
make it harder (but not impossible) for humans to read and understand.
Unfortunately this technique has some disadvantages, it takes time to make an
obfuscated code especially if you have a long code, and some anti-virus
softwares could alert some obfuscated code as some kind of a malware.

There are
so many methods of obfuscation, I’ll only cover a few. In this tutorial I will talk
about is Code Mutation. It’s a technique that aims to replace each
instruction by it's equivalent.

Assuming
you want to calculate a number (for example 5) and then put it in a register (EAX
for example). Mathematically there are many ways as you can see:

1+1+1+1+1=5

2+3=5

2*3-1=5

25/5=5

sqrt(25)=5

3!-1=5

This is the
same as in programming. Let's see how to do that. I'll only work
on the first one (1+1+1+1+1=5) given that this is not about how to calculate.

We can express (1+1+1+1+1=5) in many ways. The first
way would be to use INC instruction 5 times, meaning increase EAX
five times:

XOR EAX,
EAX

INC EAX

INC EAX

INC EAX

INC EAX

INC EAX

OR we can
use the instruction ADD EAX, 1 instead of INC EAX:

XOR EAX,
EAX

ADD EAX,
1

ADD EAX,
1

ADD EAX,
1

ADD EAX,
1

ADD EAX,
1

Another way
is to use INC EAX or ADD EAX,1 inside a loop and
count EAX until it reaches 5:

XOR EAX,
EAX

@@:

INC EAX

CMP EAX,
5

JNZ @B

@@:

ADD EAX,
1

CMP EAX,
5

JNZ @B

But that has nothing with what we want, what we want is to make it just a little bit
harder to understand. That's where the important part comes, we’ll be working on the following code sample:

XOR EAX,
EAX

ADD EAX,
1

ADD EAX,
1

ADD EAX,
1

ADD EAX,
1

Instead of
using XOR EAX, EAX we could use MOV EAX, 0. And instead of ADD
EAX, 1 we could use:

NOT EAX

NEG EAX

Which would
lead us to the following code:

MOV EAX,
0

NOT EAX

NEG EAX

NOT EAX

NEG EAX

NOT EAX

NEG EAX

NOT EAX

NEG EAX

NOT EAX

NEG EAX

MOV EAX,
0 could become:

LEA EAX,
0

NOT EAX:

NEG EAX

SUB EAX,
1

AND NEG
EAX:

NOT EAX

ADD EAX,
1

I guess you
know what does that mean! Yes that’s right, we replace each instruction with it’s
equivalent:

LEA EAX,
0

NEG EAX

SUB EAX,
1

NOT EAX

ADD EAX,
1

NEG EAX

SUB EAX,
1

NOT EAX

ADD EAX,
1

NEG EAX

SUB EAX,
1

NOT EAX

ADD EAX,
1

NEG EAX

SUB EAX,
1

NOT EAX

ADD EAX,
1

NEG EAX

SUB EAX,
1

NOT EAX

ADD EAX,
1

As you can see above, our code has grown a
little and has become a little bit harder to understand (not impossible). You can
also see that we’ve got the same instructions we’ve mutated before (ADD EAX,
1, NOT EAX, NEG EAX) plus a new one (SUB EAX, 1) that can also be
mutated to (NEG EAX and NOT EAX) which means that each
instruction has an infinite amount of mutations.

Hope this was a useful article. Now you can try out the rest of the expressions.